Gordon Adam - The Official (ISC)2 Guide to the SSCP CBK

THERE ARE TWO MAIN requirements that must be met in order to achieve the status of SSCP: one must take and pass the certification exam, and one must be able to demonstrate a minimum of one year of direct full-time security work experience in one or more of the seven domains of the (ISC) SSCP CBK. A firm understanding of what the seven domains of the SSCP CBK are, and how they relate to the landscape of business, is a vital element in successfully being able to meet both requirements and claim the SSCP credential. The mapping of the seven domains of the SSCP CBK to the job responsibilities of the information security practitioner in today's world can take many paths, based on a variety of factors such as industry vertical, regulatory oversight and compliance, geography, as well as public versus private versus military as the overarching framework for employment in the first place. In addition, considerations such as cultural practices and differences in language and meaning can also play a substantive role in the interpretation of what aspects of the CBK will mean and how they will be implemented in any given workplace.

It is not the purpose of this book to attempt to address all of these issues or provide a definitive prescription as to what is the path forward in all areas. Rather, it is to provide the official guide to the SSCP CBK and, in so doing, to lay out the information necessary to understand what the CBK is, how it is used to build the foundation for the SSCP, and its role in business today. Being able to map the SSCP CBK to your knowledge, experience, and understanding is the way that you will be able to translate the CBK into actionable and tangible elements for both the business and its users that you represent.

1. Although Access Control is a single domain within the SSCP Common Body of Knowledge (CBK), it is the most pervasive and omnipresent aspect of information security. Access controls encompass all operational levels of an organization:
   • FacilitiesAccess controls protect entry to, and movement around, an organization's physical locations to protect personnel, equipment, information, and other assets inside that facility.
   • Support SystemsAccess to support systems (such as power, heating, ventilation and air conditioning [HVAC] systems; water; and fire suppression controls) must be regulated so that a malicious entity is not able to compromise these systems and cause harm to the organization's personnel or the ability to support critical systems.
   • Information SystemsMultiple layers of access controls are present in most modern information systems and networks to protect those systems, and the information they contain, from harm or misuse.
   • PersonnelManagement, end users, customers, business partners, and nearly everyone else associated with an organization should be subject to some form of access control to ensure that the right people have the ability to interface with each other and not interfere with the people with whom they do not have any legitimate business.

     The goals of information security are to ensure the continued confidentiality-integrity-availability of an organization's assets. This includes both physical assets (such as buildings, equipment, and, of course, people) and information assets (such as company data and information systems). Access controls play a key role in ensuring the confidentiality of systems and information. Managing access to physical and information assets is fundamental to preventing exposure of data by controlling who can see, use, modify, or destroy those assets. In addition, managing an entity's admittance and rights to specific enterprise resources ensures that valuable data and services are not abused, misappropriated, or stolen. It is also a key factor for many organizations that are required to protect personal information in order to be compliant with appropriate legislation and industry compliance requirements.

2. The Security Operations and Administration domain is used to identify critical information and the execution of selected measures that eliminate or reduce adversary exploitation of critical information. It includes the definition of the controls over hardware, media, and the operators with access privileges to any of these resources. Auditing and monitoring are the mechanisms, tools, and facilities that permit the identification of security events and subsequent actions to identify the key elements and report the pertinent information to the appropriate individual, group, or process. The information security practitioner should always act to maintain operational resilience, protect valuable assets, control system accounts, and manage security services effectively. In the day-to-day operations of the business, maintaining expected levels of availability and integrity for data and services is where the information security practitioner impacts operational resilience. The day-to-day securing, monitoring, and maintenance of the resources of the business, both human and material, illustrate how the information security practitioner is able to protect valuable assets. The use of change and configuration management by the Information Security practitioner, as well as reporting and service improvement programs (SIP), ensures that the actions necessary to manage security services effectively are being carried out.
3. The Risk Identification, Monitoring, and Analysis domain focuses on determining system implementation and access in accordance with defined IT criteria. The use of risk management processes plays a central part in the activities of the security practitioner within this domain. Knowledge, awareness, and understanding of risk within the context of the business is an element critical to the successful implementation of an information security management system (ISMS) today, and one that this domain helps the Security Practitioner to understand and focus on. In addition, this domain also discusses collecting information for identification of, and response to, security breaches or events.
4. The Incident Response and Recovery domain focuses on the review, analysis, and implementation of processes essential to the identification, measurement, and control of loss associated with adverse events. The security practitioner will be expected to understand the incident handling process and how to support forensics investigations within the enterprise. In addition, knowledge of both business continuity and disaster recovery planning and processes will be important.
5. The Cryptography domain is a fascinating domain in the SSCP CBK. Few information security topics have the history, challenge, and technological advancements that cryptography enjoys. Throughout history, cryptography has been a crucial factor in military victories or failures, treason, espionage, and business advantage. Cryptography is both an art and a sciencethe use of deception and mathematics, to hide data as in steganography, to render data unintelligible through the transformation of data into an unreadable state, and to ensure that a message has not been altered in transit. Another feature of some cryptographic systems is the ability to provide assurance of who sent the message, authentication of source, and proof of delivery. Information security practitioner expectations according to the (ISC)2 Candidate Information Bulletin are that an SSCP candidate will be expected to know basic concepts within cryptography; public and private key algorithms in terms of their applications and uses; algorithm construction, key distribution and management, and methods of attack; the applications, construction, and use of digital signatures to provide authenticity of electronic transactions; and nonrepudiation of the parties involved.